[Feat]: Support for AWS ECR Authentication with Temporary Tokens

[tamilhce]

Title: Support for AWS ECR Authentication with Temporary Tokens

Description

We have configured AWS ECR as a sync registry for Zot running in our local cluster. Currently, Zot expects registry credentials in the following format:

"registry2:5000": {
    "username": "user2",
    "password": "pass2"
}

However, AWS ECR provides temporary tokens for authentication, as described in the AWS ECR documentation. For Docker, the amazon-ecr-credential-helper manages this by setting the token in the format expected by the Docker daemon, which is the standard for accessing ECR.

I am opening this ticket to discuss potential options for handling ECR's temporary token mechanism in Zot. I'm happy to contribute by adding an extension to Zot if needed. I would appreciate your valuable suggestions and feedback on the best approach for this enhancement.

[rchincha]

@tamilhce thanks for trying out zot.

Looks like there is a requirement for a per-upstream credentials helper.
There will need to be changes in the config model and some backend code.

For the sync (mirroring) feature, zot is both a server and a client, so expect some of these issues to pop up.

I am opening this ticket to discuss potential options for handling ECR's temporary token mechanism in Zot. I'm happy to contribute by adding an extension to Zot if needed.

Always happy to receive PR/contributions if it helps/enables use cases.

Pls take a look at our existing config model and post a draft PR. We can iterate on it.

[tamilhce]

Sure, @rchincha. In the meantime, I reviewed the amazon-ecr-credential-helper. I don’t think we can directly leverage it because amazon-ecr-credential-helper installed on each node. This requires Zot to have access to the root filesystem.

Instead, we could implement something like:

"registry2:5000": {
  "credential-store": "ecr"
}

In this approach, Zot would manage ECR credentials directly based on the credential-store.
We can give the Zot pod access to ECR by assigning the appropriate IAM roles(similar to https://zotregistry.dev/v2.0.0/articles/storage/#configuring-remote-storage-with-s3) . The AWS profile attached to the pod should follow a similar role setup:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
        "ecr:BatchGetImage",
        "ecr:GetLifecyclePolicy",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:ListTagsForResource",
        "ecr:DescribeImageScanFindings"
      ],
      "Resource": "*"
    }
  ]
}

We can fetch the authorization token using the go AWS SDK, similar to this command, and ensure the token stays up to date by periodically validating its expiration:

TOKEN=$(aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken')

Then, update the requests with the corresponding token for API authentication, as shown below:

curl -i -H "Authorization: Basic $TOKEN" https://aws_account_id.dkr.ecr.region.amazonaws.com/v2/amazonlinux/tags/list

I haven’t had the chance to work on this yet, but I’ll prioritize it for next week.

[tamilhce]

Sorry for the delay in responding. The feature is now code complete: FYI (https://github.com/tamilhce/zot/tree/tamilhce/ecr-cred-helper). Before creating the pull request, I will test this locally and check if I can add additional test cases.

[tamilhce]

I have created the PR here. @rchincha, please review it at your convenience. I welcome your feedback and suggestions!

[rchincha]

@tamilhce pls submit your PR. The approach overall looks fine to me. Let others take a look also.

[tamilhce]

I have submitted the PR against the master branch now
#2907